From asl@USA.ALCATEL.COM Mon Jan 10 16:59:07 2000
From: asl@USA.ALCATEL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Date: Mon, 27 Dec 1999 17:01:38 -0600
Subject: Trend Micro InterScan VirusWall SMTP bug
Alcatel Security Advisory
InterScan VirusWall SMTP bug
12/27/99
Affected Systems
----------------
Trend Micro's InterScan VirusWall version 3.0.1 for Solaris.
Severity
--------
The NewApt Worm is currently exploiting this bug to avoid detection.
Synopsis
---------
By sending an SMTP message with a malformed attachment, it is possible
for malicious code to avoid detection by Trend Micro's InterScan SMTP
scanner version 3.0.1 for Solaris. Other versions may be affected as
well, but were not tested.
Description
-----------
RFC2045 describes the number of padding characters needed at the end
of a base64 encoded MIME attachment. InterScan VirusWall does not
properly handle incorrectly padded attachments. Upon receiving such
an attachment, InterScan fails to scan the attachment properly and
the message is allowed to pass through; however, InterScan does log
the following message to its system logs:
base64: Unexpected EOF seen
Note: This modification of the padding does not appear to affect
mail clients such as Netscape Communicator.
Example
-------
We noticed this bug while testing the product with live viruses.
The NewApt Worm replicates by replying to emails in the victim's
mailbox. The above error message was a clear indication
that this particular attachment was problematic. It was determined
that an extra "=" character at the end of the base64 encoding was
the cause of the problem. Further investigation revealed that if
the correct number of "=" characters (as per RFC2045) were not
present, InterScan failed to catch the virus. This was tested
with several other viruses such as Melissa and Shankar.
To exploit this vulnerability, create a new message with the virus
of your choice attached. Save this message to your local disk.
Edit the message and add any number of "=" characters to the
end of the base64 encoded attachment. This message will now pass
through the InterScan VirusWall, and the virus will remain
undetected and intact.
Patch
-----
Trend Micro has posted a fix for this bug. The patch is can be
downloaded from the following URL:
http://www.antivirus.com/download/patches.htm
The patch is titled isvwsol301a_u2.tar
References
---------
Trend Micro
http://www.trend.com
RCF2045
ftp://ftp.isi.edu/in-notes/rfc2045.txt
NewApt Worm Advisory
http://vil.nai.com/vil/wm10475.asp